|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Tracing where it started
Graphs of our observances are available at: http://people.ists.dartmouth.edu/~gbakos/sapphire Here's the earliest port 1434 probe that I find. Localtimes are EST. Pay no attention to the port 123 business; I like to include ntp with my dumps to facilitate correlation: [[email protected] hpot]# tcpslice 1041153985 1041154648 ../tcpdump.1041060689 | tcpdump -ttttnr - port 1434 or port 123 or port 53 12/29/2002 09:26:25.248240 140.162.8.25.123 > 64.222.84.217.123: v4 server strat 2 poll 10 prec -16 (DF) [tos 0x10] 12/29/2002 09:37:23.203055 216.150.155.11.53 > 64.222.84.217.1434: [|domain] And the dump: 12/29/2002 09:37:23.203055 216.150.155.11.53 > 64.222.84.217.1434: [|domain] 4500 0021 c8ef 0000 7b11 6d83 d896 9b0b 40de 54d9 0035 059a 000d eeab 0200 0000 00 I ran through packet logs from several networks starting Dec 1. This is the earliest I can find. As indicated above, there was certainlny no prior dns request. Just for poops & snickers, let's have a peek at 216.150.155.11, shall we? NetRange: 216.150.150.0 - 216.150.157.255 CIDR: 216.150.150.0/23, 216.150.152.0/22, 216.150.156.0/23 NetName: EASYCGI-150-157 NetHandle: NET-216-150-150-0-1 Parent: NET-216-150-128-0-1 NetType: Reassigned NameServer: NS1.EASY-CGI.COM NameServer: NS2.EASY-CGI.COM Comment: RegDate: 2002-06-19 Updated: 2002-08-08 [[email protected] gbakos]$ nc 216.150.155.11 80 GET / HTTP/1.0 HTTP/1.0 404 Not Found Server: Microsoft-IIS/5.0 Date: Mon, 27 Jan 2003 03:38:32 GMT Content-Type: text/html Content-Length: 111 Age: 440 X-Cache: HIT from bunta.alpinista.dyndns.org Connection: close <html><head><title>Site Not Found</title></head> <body>No web site is configured at this address.</body></html> Why doesn't this surprise me? Anyone want to run this guy down and apply the "sucker rod" section of syslogd(8) ? On Sun, 26 Jan 2003 09:11:11 -0800 John Sage <[email protected]> wrote: > Tom et al: > > On Sat, Jan 25, 2003 at 09:59:42PM -0500, tom glaab wrote: > > Johannes Ullrich wrote: > > > > >wow... excellent catch. here is some data I have: > > > > > > > Hmmm... > > > > I first see 67.8.33.179 on 20 January: > > <snippage> > > > But found my first (and only, prior to 20 Jan) hits on udp/1434 much > > earlier: > > > > Dec 29 06:32:36 chopper kernel: Packet log: input DENY eth0 PROTO=17 > > 12.10.144.249:53 x.y.z.83:1434 L=33 S=0x00 I=38557 F=0x0000 T=108 (#1303) > > Dec 29 06:32:36 chopper kernel: Packet log: input DENY eth0 PROTO=17 > > 12.10.144.249:53 x.y.z.84:1434 L=33 S=0x00 I=63999 F=0x0000 T=108 (#1303) > > Dec 29 06:32:36 chopper kernel: Packet log: input DENY eth0 PROTO=17 > > 12.10.144.249:53 x.y.z.85:1434 L=33 S=0x00 I=12853 F=0x0000 T=108 (#1303) > > Dec 29 06:32:36 chopper kernel: Packet log: input DENY eth0 PROTO=17 > > 12.10.144.249:53 x.y.z.86:1434 L=33 S=0x00 I=61180 F=0x0000 T=108 (#1303) > > I'm betting the dlen=33 is this: > > Generated by ACID v0.9.6b21 on Sun January 26, 2003 08:53:59 > ------------------------------------------------------------------------------ > #(458 - 93) [2002-10-16 13:16:44] UDP inbound to 1434 MS SQL monitor > IPv4: 217.226.25.204 -> 12.82.130.126 > hlen=5 TOS=0 dlen=33 ID=1541 flags=0 offset=0 TTL=115 chksum=48968 > UDP: port=53 -> dport: 1434 len=13 > Payload: length = 5 > > 000 : 02 00 00 00 00 ..... > ------------------------------------------------------------------------------ > #(524 - 103) [2002-11-20 01:03:39] UDP inbound to 1434 MS SQL monitor > IPv4: 80.128.175.135 -> 12.82.141.35 > hlen=5 TOS=0 dlen=33 ID=57947 flags=0 offset=0 TTL=116 chksum=51955 > UDP: port=53 -> dport: 1434 len=13 > Payload: length = 5 > > 000 : 02 00 00 00 00 ..... > ------------------------------------------------------------------------------ > > This is all I've got with src port = 53 AND dst port = 1434 > > > - John > -- > Has the preparation > of your heart been ready? > Almost, calm down. > > PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html > Fingerprint: C493 9F26 05A9 6497 9800 4EF6 5FC8 F23D 35A4 F705 -- George Bakos Institute for Security Technology Studies Dartmouth College [email protected] voice 603-646-0665 fax 603-646-0666 Key fingerprint = D646 8F91 F795 27EC FF8B 8C95 B102 9EB2 081E CB85
|